US hospital paid $55,000 ransom to hackers despite having backups

A US hospital has decided to pay a ransom of 4 bitcoin to regain access to some 1,400 files locked by attackers.

Hancock Health, a regional hospital based in Greenfield, Indiana, said they’d noticed the attack the evening of Thursday, January 11, when employees got locked out of systems and were faced with the ransom note.

“Through the effective teamwork of the Hancock technology team, an expert technology consulting group, and our clinical team, Hancock was able to recover the use of its computers, and at this time, there is no evidence that any patient information was adversely affected,” the hospital stated on Monday, January 15.

It sounded a bit like they were able to do this without resorting to paying the ransom but, as it turns out, they ultimately did choose to do it.

According to the local media, the attackers targeted more than 1,400 files and temporarily changed their names to “I’m sorry.”

Hancock Health CEO Steve Long says that even though they had backups of the files, they decided to pay the ransom, as restoring the files from backup would have taken days or even weeks. Also, the whole process would have been more costly than the $55,000 they paid out to the attackers.

Law enforcement usually advises victims not to pay the ransom, as there is no guarantee they will get anything in return.

But, for Hancock Health, the gamble paid off: the attacker sent them the decryption key on Saturday morning. The IT staff went to work, and by Monday all systems were running as usual.

How did the attackers manage to break in?

Long says that the compromise wasn’t the result of an employee opening a malicious email attachment.

Instead, the attackers accessed the hospital’s remote access portal, logging in with an outside vendor’s username and password, and deployed the SamSam (aka Samas) ransomware on computers across the network.

And while the hospital leaders told employees to reset their passwords and the IT department to implement software that could detect a similar attack in the future (by recognizing suspicious patterns), Long says that, unfortunately, they could be hit again in the same way.

The hackers got hold of an authorized username and password, and with that information, there’s little companies can do to prevent intrusions, he told the Daily Reporter.

The FBI and the cybersecurity company they called in to help are still investigating, but at the moment it seems that the attackers did not steal any patient data.

The breach also did not affect equipment used to treat or diagnose patients, and the staff managed to make due with pen and paper to keep track of patients’ medical records while the systems and the hospital’s patient portal were down.